NHS Surrey's £200,000 data breach scandal: what not to do

Secure data erasure should be part of every company's security strategy, but be aware that permanent data destruction requires careful consideration

The NHS Surrey scandal is a reminder that if company data isn’t destroyed during the asset disposal or recycling process, they will still be in breach of the Data Protection Act. Photograph: Dominic Lipinski/PA

NHS Surrey was fined £200,000 last month by data regulators after losing sensitive information about 3,000 patients. The hospital didn't actually 'lose' data in the classic sense of misplacing and never finding it, nor was it a victim of a vicious malware attack.

They actually failed to check that the data destruction company charged with getting the computers ready for recycling had properly destroyed the records. The data destruction company passed on data, believing that crushing hard drives was enough to permanently erase the NHS computers.

Any reputable data erasure specialist will tell you that this method of disposal will leave information relatively easily accessible. Deleted data can be retrieved from damaged equipment or from formatted or corrupt volumes – even from initialised disks.

The peace of mind that comes with erasing data permanently requires the use of accredited erasure software, or for non-functioning computers, a degausser. In the NHS Surrey case, the computers were not placed in safe hands. This resulted in a hefty fine for the NHS and public condemnation for the company charged with recycling the computers securely.

What's even more shocking was just how easy it was for the data to be found on the computers. The Information Commissioner's Office (ICO) was alerted to the breach by an ordinary member of the public who had purchased one of the computers and found the data on their desktop. According to the data watchdog, this was one of the worst data breaches it had ever seen.

The NHS Surrey scandal highlights the importance of education about data erasure requirements. Here in the UK there are legal requirements for secure data deletion – failure to do so can mean a hefty fine. Yet even legal requirements aren't enough to stop data leaks.

Elsewhere, the potential for breaches is also high. At Kroll Ontrack, we recently carried out a study on the methods companies use to erase data. The survey of more than 1,500 participants in 12 different countries revealed that less than half of the respondents made the effort to delete sensitive data from their old computers or hard drives. More than 60% of computers discarded by professionals are usually intact and still contain data from the previous owner when they are placed on the secondhand market.

Here are three things that businesses can do right now to avoid this type of data breach:

1. If the hardware is functioning, buy reputable erasure software: This is software that meets government data deletion standards. It will permanently wipe all traces of data, and can be bought and downloaded online. The better erasure software not only permanently wipes all traces of data, but also provides erasure verification reports and a detailed audit trail for legal compliance.

2. For non-functioning computers, buy or rent a degausser to eliminate data

3. If a DIY solution is not an option, find a reliable asset disposal services: A Google search will reveal many companies offering their services, but finding a reliable one requires you to ask the company if it employs engineers for the job and whether they have security clearance accredited by recognised bodies. Also ask the supplier to provide references or case studies for erasure products and services.

The NHS Surrey scandal is a reminder to organisations that if company data isn't destroyed during the asset disposal or recycling process, even after it has left the organisation, they will still be in breach of the Data Protection Act. For the sake of the organisation's reputation and the safety of employees – and in some cases patients – make sure the data deletion process is done properly and completed professionally.